Cookie Policy

Effective Date: March 4, 2026 Last Updated: March 23, 2026

This Cookie Policy explains how Kosmatic Solutions Inc. ("Kosmatic," "we," "us," or "our") uses cookies and similar technologies on our website https://kosmatic.com and the e-commerce stores where our tracking technology is deployed.

---

1. What Are Cookies?

Cookies are small text files stored on your device (computer, tablet, or mobile) when you visit a website. They help websites remember your preferences, understand how you use the site, and improve your experience.

We also use similar technologies like:

• LocalStorage and SessionStorage (browser storage)
• Pixels and web beacons (tiny invisible images)
• Browser fingerprinting (cookieless tracking method — see Section 3)
• Server-side event tracking (Meta Conversions API, GA4 Measurement Protocol)

---

2. Types of Cookies We Use

2.1 Essential Cookies (Required)

These cookies are necessary for the Service to function. You cannot opt out of these.

| Cookie Name | Purpose | Duration | |-------------|---------|----------| | auraflow_token | Authentication (JWT access token) | 15 minutes | | auraflow_refresh | Session refresh token | 7 days | | google_oauth_state | Google login security (CSRF) | Session | | shopify_login_state | Shopify login security (CSRF) | Session |

Legal basis: Strictly necessary for the provision of the Service (ePrivacy Directive Art. 5(3) exemption; not subject to consent).

2.2 Functional Cookies

These cookies remember your preferences and settings.

| Cookie Name | Purpose | Duration | |-------------|---------|----------| | auraflow_consent | Your cookie/tracking consent choices | 90 days | | auraflow_preferences | Dashboard display preferences (card density, auto-refresh) | 90 days | | theme_preference | Light/dark mode | 1 year |

Legal basis: Consent. You may decline these; doing so may limit personalization features.

2.3 Analytics Cookies

These cookies help us understand how visitors interact with our Service.

| Cookie Name | Purpose | Duration | |-------------|---------|----------| | _ga (Google Analytics 4) | Distinguish users | 2 years | | _gid (Google Analytics 4) | Distinguish users | 24 hours | | _gat (Google Analytics 4) | Throttle request rate | 1 minute |

Legal basis: Consent. You may decline these without affecting core functionality.

2.4 Server-Side Tracking (No Cookies)

The following technologies operate server-side and do not place cookies on your device:

| Technology | Purpose | Data Sent | |------------|---------|-----------| | Meta Conversions API | Advertising attribution (when Merchant enables Meta integration) | Hashed email, conversion events (no raw behavioral data) | | GA4 Measurement Protocol | Server-side analytics events | Anonymized usage events |

These are activated only when a Merchant configures the relevant integration.

---

3. Cookieless Tracking (Three-Tier Consent Model)

For visitors who decline cookies or where cookie consent has not been obtained, we use a privacy-preserving cookieless tracking system based on browser fingerprinting.

How It Works

1. We collect technical signals from your browser (screen size, browser version, installed fonts, hardware capabilities, canvas/WebGL rendering characteristics)
2. These signals are hashed using SHA-256 to create a temporary, probabilistic identifier
3. The identifier is held in memory only — it is never written to your device
4. The identifier expires after 24 hours and cannot be recovered
5. The identifier cannot track you across different websites

Three Data Tiers

| Tier | Identifier | Consent Required | Data Collected | Retention | |------|-----------|-----------------|----------------|-----------| | Anonymous | None (aggregate only) | No | Scroll velocity, scroll depth, reading pattern, rage/dead clicks, form interaction patterns | Session only | | Pseudonymous | Ephemeral fingerprint (24h) | No (legitimate interest) | Decision latency, backtracks, mouse hesitation, pricing attention, CTA engagement, exit trajectory, session depth, product attention | 24 hours | | Identified | Persistent visitor ID | Yes (explicit consent) | Email, name, cart value, checkout progress, order history, quiz responses, UTM/campaign data | Configurable (default 90 days) |

Comparison with Traditional Cookies

| Feature | Traditional Cookies | Cookieless Fingerprinting | |---------|---------------------|---------------------------| | Stored on device | Yes | No (memory only) | | Cross-site tracking | Possible | No | | Duration | Days to years | 24 hours maximum | | Personal identification | Yes | No (probabilistic only) | | Survives browser restart | Yes | No | | Privacy impact | Higher | Lower |

Legal Basis for Cookieless Tracking

• Anonymous tier: No personal data processed; outside scope of GDPR/ePrivacy
• Pseudonymous tier: Processed under legitimate interest (GDPR Art. 6(1)(f)) — we have conducted a balancing test and determined that the limited, ephemeral nature of fingerprinting (24-hour TTL, no cross-site tracking, no device storage) does not override data subjects' rights. You may object at any time (see Section 5).
• Identified tier: Processed under explicit consent (GDPR Art. 6(1)(a))

---

4. Third-Party Cookies

Some cookies are placed by our trusted partners:

| Third Party | Purpose | Privacy Policy | |-------------|---------|----------------| | Google Analytics | Usage analytics | Google Privacy | | Google OAuth | Authentication | Google Privacy | | Shopify | E-commerce integration | Shopify Privacy | | Render | Hosting infrastructure | Render Privacy |

We do not allow third parties to use cookies for advertising on our platform without your explicit consent.

---

5. Managing Your Cookie and Tracking Preferences

5.1 Consent Banner

When you first visit our Site or a Merchant's store where our technology is deployed, you'll see a cookie consent banner. You can:

• Accept All: Allow all cookies and tracking (all three tiers)
• Customize: Choose which categories to allow
• Essential Only: Only required cookies and Anonymous-tier tracking (no fingerprinting, no identified data)

5.2 Browser Settings

You can also control cookies through your browser:

| Browser | Instructions | |---------|--------------| | Chrome | Settings → Privacy and security → Cookies | | Firefox | Settings → Privacy & Security → Cookies | | Safari | Preferences → Privacy → Cookies | | Edge | Settings → Cookies and site permissions |

5.3 Do Not Track & Global Privacy Control

We respect the following privacy signals:

• Do Not Track (DNT) — Legacy browser signal
• Global Privacy Control (GPC) — Modern standard for opting out of data sales/sharing

If either signal is detected, we:

• Disable non-essential cookies
• Limit data collection to Anonymous tier only (no fingerprinting)
• Treat as opt-out of data "sharing" under CCPA/CPRA
• Do not sync data to advertising platforms (Meta, Google Ads)

5.4 Changing Your Preferences

You can update your cookie and tracking preferences at any time by:

• Clicking the "Cookie Settings" link in our footer
• Clearing your browser cookies (resets consent preferences)
• Contacting us at support@kosmatic.com

5.5 Opting Out of Cookieless Tracking

Even though cookieless fingerprinting does not store data on your device, you have the right to object:

• Enable GPC or DNT in your browser (we honor both)
• Contact the Merchant whose store you are visiting
• Email support@kosmatic.com with identifying details (store visited, approximate date/time)

---

6. Cookie Duration

| Category | Duration | Rationale | |----------|----------|-----------| | Essential | Session to 7 days | Security and authentication | | Functional | 90 days to 1 year | Remember preferences | | Analytics | 90 days to 2 years | Long-term trend analysis | | Fingerprinting | 24 hours (memory only) | Temporary visitor identification |

---

7. Data Collected via Each Technology

Essential & Functional Cookies

• Login session status
• User preferences (theme, display density)
• Consent choices

Analytics Cookies

• Pages visited
• Time on site
• Referral source
• Device and browser information

Cookieless Fingerprinting (Pseudonymous Tier)

• Screen resolution and viewport size
• Browser plugins and installed fonts
• Hardware capabilities (CPU cores, device memory)
• Canvas and WebGL rendering characteristics
• Time zone and language settings

Note: Fingerprinting data is processed in memory and used solely to generate a temporary hash. The raw signals are not stored.

Server-Side Tracking

• Conversion events (purchase, add-to-cart)
• Hashed identifiers (SHA-256 email hash)
• No raw behavioral data transmitted to third parties

---

8. Updates to This Policy

We may update this Cookie Policy to reflect changes in technology or law. Changes will be posted on this page with an updated "Last Updated" date.

Significant changes will be notified via:

• Email to registered users
• Banner on our website
• Dashboard notification

---

9. Contact Us

Questions about cookies or tracking?

Email: support@kosmatic.com Address: Vancouver, British Columbia, Canada

---

10. Additional Resources

• Privacy Policy
• Terms of Service
• Data Processing Agreement
• GDPR Information
• All About Cookies
• Global Privacy Control

---

END OF COOKIE POLICY